CVE-2026-43568
Privilege Escalation in OpenClaw via Dreaming Endpoint
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.10 (exc) |
| openclaw | openclaw | From 2026.4.5 (inc) to 2026.4.10 (exc) |
| openclaw | openclaw | From 2026.4.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-43568 is a privilege escalation vulnerability in OpenClaw versions 2026.4.5 through 2026.4.9. It allows attackers who have write-scoped gateway access to modify persistent memory dreaming settings via the /dreaming endpoint, which should only be accessible to admin-level users.
The vulnerability arises because the system does not properly check if the user has admin privileges before allowing changes to the dreaming configuration. This improper authorization allows attackers to toggle admin-class configuration mutations, effectively escalating their privileges.
The issue was fixed in version 2026.4.10 by adding checks that require admin scope to mutate dreaming settings and normalizing missing scopes to prevent silent privilege escalation.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with write-scoped gateway access to escalate their privileges to admin level by modifying persistent memory dreaming settings through the /dreaming endpoint.
As a result, the attacker could make unauthorized configuration changes that are normally restricted to administrators, potentially compromising the security and integrity of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized modification of persistent memory dreaming settings via the /dreaming endpoint by write-scoped operators. Detection can focus on monitoring access and changes to this endpoint.
You can detect potential exploitation by checking logs or network traffic for requests to the /dreaming endpoint that attempt to toggle dreaming settings without admin privileges.
Suggested commands include inspecting gateway client scopes and monitoring commands sent to the /dreaming endpoint. For example, reviewing logs for commands like `/dreaming on` or `/dreaming off` issued by non-admin scoped clients.
Since the vulnerability is related to improper authorization, you may also audit the scopes assigned to gateway clients to identify any write-scoped operators attempting admin-class configuration mutations.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.4.10 or later, as this version contains the patch that fixes the privilege escalation vulnerability.
The patch enforces proper authorization by requiring admin privileges to mutate dreaming settings via the /dreaming endpoint, preventing write-scoped operators from making unauthorized changes.
Additionally, review and restrict gateway client scopes to ensure that only trusted users have admin-level access, minimizing the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.